Skip to content

docs: Lumens rev 3.5 — Codex soundness pass (totality/bounds/determinism + fixes)#39

Merged
iret77 merged 1 commit into
mainfrom
feat/lumens-rev-3.5-soundness
Jun 16, 2026
Merged

docs: Lumens rev 3.5 — Codex soundness pass (totality/bounds/determinism + fixes)#39
iret77 merged 1 commit into
mainfrom
feat/lumens-rev-3.5-soundness

Conversation

@iret77

@iret77 iret77 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Independent adversarial Codex review (saved at
docs/protocol/reviews/codex-rev3.4.md)
tested soundness where the internal passes tested expressibility, and found a
real layer they missed. rev 3.5 addresses all of it.

  • §2.9 (new) totality (÷0/overflow/NaN → halt), provable bounds (numerics
    feeding range/pad MUST declare max), determinism (canonical record-key order,
    seeded {random}/{now} nodes).
  • §6.4 / §13.5 (new) effect determinism (effectId, declaration-order,
    on-XOR, logical-time debounce) + replay/recording with const-hash per frame.
  • §2.6 normative kernel determinism contract (numbers stay L0-deferred).
  • Contradictions: defs↔state, effect args↔{event}, assetRef split from
    dataRef, captureLongPress, StateDelta root, concept std-lib wording.
  • Security: free-colour chrome/consent spoofing closed (host-only trust
    surface); taint rule made a static AST walk.
  • Refinements: PortType, hit-test order, loadData lifecycle, dirty-track
    semantics, capability wire schema, brokeredCapabilitySupport.

⚠️ Several are default design decisions flagged for veto — see the PR
discussion / the rev-3.5 note in lumens-spec.md.

🤖 Generated with Claude Code

…ism + fixes)

Independent adversarial review (Codex gpt-5.5, high reasoning; saved verbatim at
docs/protocol/reviews/codex-rev3.4.md) tested SOUNDNESS where the internal passes
tested expressibility, and found a real layer they missed. rev 3.5 addresses all
of it (several default decisions, flagged for veto):

Soundness (new §2.9):
- Totality: ÷0 / mod0 / overflow / NaN / Infinity → defined result or halt with
  surface_error; string index/slice clamped; mandatory else.
- Bounds: numerics feeding range/pad/size-ops MUST declare max (validator
  rejects unbounded range(score)); per-op output caps.
- Determinism: canonical record-key order (no engine-observable object order);
  {random}/{now} as seeded nodes (were missing from the AST catalog).

Effects + replay:
- §6.4: deterministic effectId, declaration-order firing, on:transition XOR
  on:{when}, logical-time debounce/coalesce recorded in the trace.
- §13.5 (new): replay/recording model — logical clock, effect-id-tagged result
  re-feed, const content-hash in every frame.
- §2.6: normative kernel determinism contract (seed/tie-breaks/float); per-kernel
  numbers stay an L0 deliverable, the contract does not.

Contradictions fixed: defs may read state (§2.8); effect args may read {event}
(§6.4); assetRef split from dataRef (§1.1, asset handle vs structured
projection); captureLongPress in EventBinding (§4); StateDelta transition root +
non-overlapping multi-set (§2.5); concept §3 stops calling map/filter/fold
std-lib.

Security: free-colour chrome/consent SPOOFING closed — consent/auth prompts are
host chrome outside the Lumen subtree with unforgeable attribution (§3.1); the
state/DataRef-derived → external-effect TAINT rule made a static AST walk (§6).

Refinements: PortType + port read/emit + expose addressing (§7); hit-test
order/tie-breaks/drag capture (§4.1); loadData lifecycle + cap accounting (§1.1);
dirty-track is optimisation-not-semantic (§5); surface_capability_* wire schema
(§12); capabilityClasses → brokeredCapabilitySupport (§13); {var path} record-
only (§2.2). §11 security table + §14 reclassification updated; walkthrough
examples updated to rev-3.5 grammar; concept v0.11.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@iret77 iret77 merged commit 90433df into main Jun 16, 2026
1 check passed
@iret77 iret77 deleted the feat/lumens-rev-3.5-soundness branch June 16, 2026 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants